Paul Tibbetts

Tue, 20 Jan 2026 11:07:29 +0000

My website is now hosted on a Raspberry Pi 🎉

Wed, 14 Jan 2026 11:50:32 +0000

Since running my Pangolin on a Pi experiment my host has added

This is a service aimed at hobbyists, and shouldn’t be used for nuclear power station command and control systems.

to their sign up page (before).

I’m sure it’s a coincidence, but today I am moving Pangolin to a VPS.

HomeBox in my homelab installation notes

Sun, 11 Jan 2026 14:56:05 +0000

HomeBox is a self-hosted inventory management system that I’ve just installed into my homelab. This is a log of how I did it.

Architecture

HomeBox can run entirely independently using a SQLite database, the local file system for storage, and its own user system for authentication. However it can also use PostgreSQL, S3-compatible storage, and OIDC for auth.

Since I have all of those things already running that’s how I set it up.

Install

The docs contain an example Docker compose file so I started with that. I use Ansible to configure my virtual machines and have one dedicated to Docker Compose stacks, so in my code I created a new directory for HomeBox and added the example Docker Compose file.

If I was using the default setup I could have stopped there but I’m using the extra things I mentioned above and each one of them needs a secret. Instead of writing the secrets as plain-text I used Ansible vault to encrypt a template file in my repo and then write that as .env to the same directory as the compose file. Docker Compose will automatically read it and use its values when referenced in the docker-compose.yaml file.

Database

I have a virtual machine dedicated to running Postgres and use the geerlingguy/docker-role-postgresql role to configure it. In my group_vars/postgres/main.yaml file I added lines for a new homebox database and user to postgresql_databases, postgresql_users and postgresql_hba_entries. The new postgresql_user uses a password of "{{ vault_homebox_database_password }}" so I created a new password and entered it into my group_vars/postgres/vault.yaml file which is also encrypted with Ansible vault.

To use it I added:

- HBOX_DATABASE_DRIVER=postgres
- HBOX_DATABASE_HOST=postgres.infra.home.arpa
- HBOX_DATABASE_PORT=5432
- HBOX_DATABASE_USERNAME=homebox
- HBOX_DATABASE_PASSWORD=${HBOX_DATABASE_PASSWORD}
- HBOX_DATABASE_DATABASE=homebox

to the environment part of the docker-compose.yaml.

The role that sets up the Docker Compose stacks doesn’t read the values I set for the Postgres role, so I had to copy the password I used for the database into the encrypted file that creates the .env for HomeBox. I now have that same password written twice, once for the database and once for HomeBox to use it.

Storage

I’m currently running MinIO on my TrueNAS Scale machine and I can use that for S3-compatible storage. I set it up before they changed their license and now migrating to an alternative is yet another thing on my TODO list.

I created a new bucket by using the mc CLI client to run:

mc mb lab/homebox

To use it I added:

- AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
- HBOX_STORAGE_CONN_STRING=s3://homebox?awssdk=v2&endpoint=http://<NAS_IP>:9000&disable_https=true&s3ForcePathStyle=true

to the environment part of my docker-compose.yaml.

The “AWS” (Minio) values are also secrets added to the template that writes out the .env file.

The HBOX_STORAGE_CONN_STRING value comes from the HomeBox docs.

Note to self: I should also set up nas.infra.home.arpa like I did for Postgres.

OIDC

I have Kanidm set up as an IdP and it can do OIDC for HomeBox to use for authentication.

To create the client in Kanidm I ran:

kanidm system oauth2 create homebox HomeBox "https://homebox.cloud.paultibbetts.uk"
kanidm group create homebox_users
kanidm group add-members homebox_users paul
kanidm system oauth2 update-scope-map homebox homebox_users openid profile email

and to set the logo for it I ran:

curl -o homebox.svg https://raw.githubusercontent.com/sysadminsmedia/homebox/refs/heads/main/docs/public/lilbox.svg
kanidm system oauth2 set-image homebox homebox.svg svg
rm homebox.svg

The docker compose environment values to use Kanidm for OIDC are:

- HBOX_OPTIONS_HOSTNAME=homebox.cloud.paultibbetts.uk
- HBOX_OIDC_ENABLED=true
- HBOX_OIDC_ISSUER_URL=https://<kanidm_domain>/oauth2/openid/homebox
- HBOX_OIDC_CLIENT_ID=homebox
- HBOX_OIDC_CLIENT_SECRET=${HBOX_OIDC_CLIENT_SECRET}
- HBOX_OPTIONS_TRUST_PROXY=true

where HBOX_OIDCD_CLIENT_SECRET is another secret added to the .env template.

DNS

I use Pi-hole for ad-blocking and custom DNS records in my homelab.

I don’t yet have an automated way to configure it, so I did it using the web UI, and wrote another reminder to automate this process.

I have an A record for the reverse proxy I use so I created a CNAME for HomeBox that points homebox.cloud.paultibbetts.uk to the reverse proxy.

I could set up an A record for HomeBox but that would mean writing out the IP of the reverse proxy, whereas using a CNAME means I can enter its domain, which is easier to remember than numbers. It also means I could move the reverse proxy to another server and I would only need to update the A record for it and all the things pointing to it with CNAMEs would still work.

Reverse proxy

I use Caddy as a reverse proxy. This is configured by an Ansible role. Well it should be, I left all the tasks in the playbook but I only use it once in this one playbook so it doesn’t need to be.

The Caddyfile that configures all my virtual hosts is a template that Ansible writes out. I use Cloudflare’s DNS challenge when Caddy requests TLS certificates from Lets Encrypt and that needs a token for Cloudflare so I use an Ansible template file so I can encrypt the token using Ansible vault. I use the DNS challenge because my homelab isn’t on the internet so it’s not accessible to Lets Encrypt when it tries to do the regular HTTP challenge.

For HomeBox I added:

https://homebox.cloud.paultibbetts.uk {
  reverse_proxy apps.infra.home.arpa:3100
}

where apps.infra.home.arpa is an A record for the VM with Docker Compose running HomeBox. The 3100 port was defined earlier in the Docker Compose yaml file:

ports:
  - 3100:7745

Deploy

To deploy I ran the apps.yaml playbook to write the docker-compose.yaml file and the .env file that contains all the secrets. This also runs docker compose up -d so the stack is up and running by the end of it.

To add the virtual host to Caddy I ran my ingress.yaml playbook that configures Caddy.

Because this is my writeup I can pretend it all worked perfectly the first time and I definitely didn’t have a typo in my domain.

Initial test

I registered a user account using my email and set a password, just in case. I then logged out and tried again using OIDC and it logged me into the same account - this is because my email in Kanidm is the same one I used when registering. Some apps make separate accounts when logging in using a password or with OIDC but I like this approach more.

HomeBox doesn’t have a super user, it uses a multi-tenant setup where everyone gets their own inventory and you have to invite others to access yours. I haven’t tried this yet. I might not ever need it - I don’t want anyone else seeing how many unused cables I refuse to throw away.

Creating my account proved the database worked ✅, and logging in with Kanidm proved OIDC worked ✅, so I created an item in HomeBox and uploaded a photo and that proved the storage with MinIO worked ✅.

Thu, 08 Jan 2026 11:22:56 +0000

Adam Wathan, creator of Tailwind CSS:

had to lay off most of the team on Monday because AI has gutted our business so badly

Ouch.

More details in his morning walk podcast: Tailwind is more popular than ever but visits to the docs, where they advertise paid services, is down 40%.

Tue, 06 Jan 2026 12:20:13 +0000

Trying to close all my browser tabs is like fighting a hydra.

How to play The Beginner's Guide on a modern computer

Wed, 31 Dec 2025 14:49:39 +0000

For a game about the game development process I find it kind of fitting you need to run obscure commands from the internet to get it to work on a modern computer.

Without them, you can’t play the game at all. This feels intentional, like a puzzle that exists before the game even starts, and is almost impossible to solve.

The solution is pretty easy once you know it, you reduce how hard the machine is allowed to work, and is a reference to how we should slow ourselves down to better appreciate things.

When you’re ready to play, this is how you do it:

Windows 11

Press Windows + R to open the Run dialog.

Type in msconfig and click “OK”. This opens “System Configuration”.

Select the “Boot” tab.

Click “Advanced Options…”

In the new popup window check the “Number of processors” box and from the dropdown choose “8”, then click “OK” to close this window.

Now click “Apply” and then “OK”.

You must restart your computer for this to take effect. Afterwards the game should start without crashing.

Remember to undo this after playing the game as this fix has temporarily lowered the performance of your computer. It is not permanent and will not cause any damage, but you will struggle running as many apps and tabs in your browser while you have the fix applied.

Linux

It’s a lot easier to do this in Linux. You don’t need to reboot after, you can limit the change to apply only to The Beginner’s Guide, not the rest of your system, and you don’t need to remember to turn it off after.

Wine/Proton

Use the WINE_CPU_TOPOLOGY environment variable to limit the processors to 8:

WINE_CPU_TOPOLOGY=8:0,1,2,3,4,5,6,7

Steam

In Steam right click the game and choose “Properties”.

In “General” for the “Launch Options” use

WINE_CPU_TOPOLOGY=8:0,1,2,3,4,5,6,7 %command%

Other launchers

Steam is the only launcher I’ve tested this on.

For Lutris, Heroic or Bottles you need to set an environment variable using that launcher’s config for the game.

Credits

Thanks to Adam Eperjesi for the Unsplash image, Gameplay.tips for the Windows guide, fleakuda for linking to it, and everyone who contributes to ProtonDB, especially ShatteredScales for the Wine environment variable.

Tue, 30 Dec 2025 20:12:49 +0000

I tried to turn Pangolin on a Pi into a guide. It didn’t want to be one.

Sun, 28 Dec 2025 11:12:58 +0000

Spent yesterday dealing with a homelab problem I had baked into a VM template a year ago.

Makes me wonder what other bugs I’ve created and haven’t found yet.

Fri, 26 Sep 2025 14:09:18 +0000

Heading to Alpkit’s Big Shakeout Festival for the weekend.

Wed, 13 Aug 2025 12:37:44 +0000

Two weeks of rest and I’m recovered from my trip. Time to swap back to my nerd blog and do some computer stuff.

Checking in with my homelab after leaving it for a month

Wed, 13 Aug 2025 12:36:00 +0000

I recently had the pleasure of going outside and touching some grass, which means I haven’t worked on my homelab for about a month, and now I’m catching up.

I didn’t need to use it

I’m not running that many apps or services right now but it was still interesting to realise I didn’t need to use it whilst I was away. I went hiking and camping for 9 days and didn’t even think about computers, which was nice, and when I got back I was recovering and still didn’t use it.

It turns out my homelab is an indoors-only sort of thing.

It all worked fine

The one app I did use was FreshRSS, which syncs my RSS feeds with NetNewsWire on my phone and my laptop. The few times I used it I had new content to read, although I have that many unread articles I would have been fine if it had stopped working.

To use FreshRSS I had to be connected to my Wireguard VPN, so that also worked.

My monitoring failed

One thing that didn’t work was my monitoring setup.

Whilst I was away there was a brief power-cut to my homelab and all of my machines turned off. When the power came back they all turned on and resumed normal functions, except my Raspberry Pi.

This Raspberry Pi runs Uptime Kuma, for monitoring apps and services, as well as Beszel, for monitoring servers. I’m using an Argon One NVME case and I hadn’t set it to turn on when it receives power, so the Pi stayed off, and even though all of my services started working again I wasn’t told about it.

The immediate fix was to set the Argon One NVME case to turn on the Raspberry Pi 4 when it receives power, but in the long-term I might need to rethink my monitoring setup.

There’s been lots of updates

Before I went away I set up Renovate to track the dependencies in my homelab repo and send me pull requests when there are updates available. Now I’m back I can see it has maxed out at (the default) 10 updates and is waiting for me to review them before continuing.

I like this way of doing updates, it’s much easier than manually checking everything every time.

“Is it ready yet?”

My Pangolin on a Pi project stalled whilst I was away. This was meant to give friends and family easier access to the apps and services I’m running.

Mealie is the main app being used, but a close second now is Homebox, which is for inventory management.

I guess now I’ve recovered and my brain power’s been restored I’ll have to finish this.

How to set the Argon One NVME case to turn on Raspberry Pi when it receives power

Wed, 13 Aug 2025 12:19:00 +0000

We don’t get many power-cuts where I live but that doesn’t mean they never happen.

My monitoring apps are installed on a Raspberry Pi 4 which lives in an Argon One NVME case and by default it does not turn on when it receives power, you have to move the jumper pin.

The Jumper Pin

You can find the instructions for the jumper pin on pages 6 and 7 of the manual.

By default it connects pins 1 and 2 and this means you need to press the power button to turn on the Raspberry Pi.

To change it to turn on the Pi when it receives power you need to move it to pins 2 and 3.

Mon, 28 Jul 2025 16:49:00 +0000

Geneva ✈️ Manchester

Sun, 27 Jul 2025 12:27:00 +0000

Completed the Tour du Mont Blanc!

Sat, 19 Jul 2025 07:18:50 +0000

Starting the Tour du Mont Blanc today, will be posting from my hiking blog but there will inevitably be a double post or two

Fri, 18 Jul 2025 19:02:40 +0000

Chamonix 🇫🇷

Fri, 18 Jul 2025 11:21:59 +0000

Manchester ✈️ Geneva

Fri, 11 Jul 2025 12:59:29 +0000

Setting off to the other side of the island for the weekend.

Only 9 hours to go.

Thu, 10 Jul 2025 14:35:20 +0000

Booked my flight to Switzerland to hike the Tour du Mont Blanc, so now I’m doing some last minute shopping for new gear and replacements of all the lost and broken things since my last week long trip.

Sat, 05 Jul 2025 10:24:45 +0000

Pangolin works on my IPv6 only Pi 🎉

I’ve got some tidying up to do, then it needs a write-up.

Pangolin on a Pi project progress

Thu, 03 Jul 2025 15:54:12 +0000

Most things in tech play out like that scene from Malcom in the Middle, where Hal’s trying to do one thing and then he needs to do another, and another, until he’s forgotten where he started.

Pangolin on a Pi started off as a quick little test that turned into a week long adventure.

Pangolin

Pangolin is an app that lets you tunnel into a private network, securely, from the outer internet. This means you can run your own apps and services at home and use Pangolin to let your friends and family connect to them.

You can do the same thing with Cloudflare tunnels except that way Cloudflare can read everything that goes through the tunnel and they don’t want you using it for movies, so you’re not supposed to use it for Jellyfin or Plex.

I’m not planning on using it for Jellyfin, but I like that the option’s there with Pangolin, and that it’s hosted on my own server.

Hosting

Except it’s not my own server, because I don’t have one of those huge internet cables like the big companies do, so I have to rent access to one from them.

It doesn’t need to be a big server, only 1GB of RAM and 1 vCPU, which you can get for $1 per month if you go with RackNerd.

Which is great if you live in the US, since you’re close to any one of the 6 data centres you can choose from for that offer, but I don’t, I live all the way across the pond.

UK Hosting

The closer this server is to where I am the better. In the UK server hosting mainly happens in London, which is close enough to me to be super fast, even if there are other places I could choose.

Like Manchester, which is closer to me than London. I was surprised to find they had their own data centres I could host from. I could only find one company that offered it publicly though, which was ran by an American company.

I don’t want to talk about recent events, but I don’t want to spend my money with a company that pays its taxes to a government that just bombed the country my friend’s family lives in. I’m not getting involved in any of this. I will choose a different company.

Preferably one in the UK; as I’ve aged I’ve realised it’s up to us to keep this island afloat.

Mythic Beasts

A quick Reddit search led me to Mythic Beasts, an independent, privately owned company based in the UK, with lots of good reviews.

They even had a blog, and it didn’t take long to find a post titled “Supporting the Open Rights Group”.

Yep, that’s all I need to read, I’m hosting my server here with these beasts.

Pi?

Mythic Beasts have their own rack of Raspberry Pis you can rent from.

Hosting on someone else’s computer isn’t a natural fit for the self-hosted way of doing things. But doing it on a Pi? That feels better for some reason.

Time to do a little test…

Terraform Provider?

I could have just clicked on the website to order a Pi. Maybe I should have.

Mythic Beasts have an API, so you can script your order and the management of the Pi, not that it needs much management. What they don’t have, which surprised me a little, is a Terraform Provider.

A Terraform Provider is the bit that connects Terraform, an industry standard tool for writing down servers as code, to the API of the server provider.

An ex member of staff started one using the older version of the Terraform Provider code, but they had archived it and since left the company.

Which gave me an idea.

I will write one!

I was looking for a chance to practise writing Go, as well as create a project to put on my GitHub, which had gotten a little quiet recently, and now I’d found one.

How hard could it be?

WHY AREN’T THE DOCS ACCURATE?!

A small gripe, if I may, is that it helps if your API documentation is accurate. The docs I was reading were mostly accurate, and I could get around whatever differences there were, but it had been a while since I’d coded against someone else’s API and I’d forgotten this happens.

IPv6?

Since there are no more IPv4 addresses left the Pis are IPv6 only. Mythic Beasts host proxies that let you get into the Pis from IPv4 connections, which works for websites, but Pangolin needs a different type of access.

Newt?

Pangolin is the website part of the project, it’s the bit the users see and is hosted on the Pi. It works by letting only the right users into the secure Wireguard tunnel that goes into your home network.

The thing that you host at home that sets up the other side of the tunnel is called Newt. It uses Wireguard for the tunnel, and that speaks to the Pi on a particular port which isn’t proxied by Mythic Beasts.

Another proxy?

Maybe you could get another proxy for this, but then you’re hosting a tunnel for your tunnel.

So no.

IPv6!

You don’t need a proxy if you can connect to the Pi through IPv6.

Except I couldn’t.

I’ve known for years that we’ve ran out of IPv4 addresses and that they’re being passed around from company to company for larger and larger amounts of money.

Somehow IPv4 still works and we’re still using it, so I always thought I could deal with it when it became a problem.

Like it just had.

…

I now have IPv6 working at home which means I can connect to the Pi without a proxy 🎉.

I will write up what I did another time, this quick update is over 1,000 words already.

The next steps are:

install Newt on my home server
connect it to the Pi
profit

Mon, 30 Jun 2025 14:30:38 +0000

Pushed my developer environment setup scripts repo up to GitHub.

As mentioned in the readme:

This is what works for me. I don’t expect or encourage anyone else to use them.

Planning on writing a few posts about it, so more details on it soon.

Mon, 30 Jun 2025 10:37:31 +0000

This week’s aim is to find a better balance 🧘

Mon, 23 Jun 2025 15:58:13 +0000

Smoking BBQ Candy

share.fireboard.io/FE826C

Why would you want a home server?

Sat, 21 Jun 2025 16:15:58 +0000

Some thoughts to help you work out if you want a home server.

What’s a Home Server?

If you thought servers were big black boxes with blinky lights in noisy rooms then you’d be mostly correct, but a growing number of us are running them at home and they’re smaller and quieter than you think.

If you just want to block adverts with Pi-hole then you don’t need that much power and you can get away with a teeny tiny Raspberry Pi Zero that fits in your hand and costs £15.

A home server is any machine that lets you host things in your home.

Self-hosting

There’s a bunch of things you can self-host.

Services

Some services are only available by self-hosting them.

Blocking adverts in the browser alone means you still had to download the advert, even if you didn’t see it. Pi-hole blocks adverts by stopping your network from fetching the advert in the first place, which makes your browsing experience faster.

Jellyfin lets you host your own Netflix, and apps like calibre-web and audiobookshelf do the same for your books and podcasts.

Having a home server lets you make the most of your own media.

Applications

There are open source versions of loads of apps you’re already using, like Word processors and spreadsheets and stuff, as well as new ones you didn’t realise you’d need.

Mealie is one of my recent favourites, it’s a recipe management app that lets me do meal planning and then generate a shopping list with all the ingredients I need.

I use FreshRSS to keep up to date with RSS feeds as well as keep my phone and laptop clients in sync with each other.

Wireguard lets me access my home server from anywhere.

You can find more at Awesome Homelab and on Reddit.

Storage

If you’ve read my Why would you want a NAS? post you’ll know whether you need something for storage.

What I didn’t mention is that the line between a home server and “a NAS” can be a little blurry.

“NAS” just means network storage and “a NAS” usually refers to the machine you dedicate to doing NAS things. You don’t have to own “a NAS” to have NAS.

NAS + self host

Most NAS software has the ability to run custom apps somehow, so if you mainly wanted storage and only wanted to run a few apps you could get away with using your NAS device as a home server.

You can run your own apps even on the consumer NAS devices like the ones from Synology.

Home server + Network Attached Storage

If you wanted the opposite, mainly to self-host with a little bit of network storage, you could get away with plugging in some drives to your home server and making them available over the network.

This could be as small as a Raspberry Pi 5 with an NVME plugged in to it.

Home server with NAS virtualised

Some people set up their home server for virtualisation and use a virtual machine to run their NAS software and then use other virtual machines for self-hosting, which means the same device is now both “a NAS” and “a home server”.

Home server and a NAS

I personally have different machines for my NAS and my home server, and I think I’m right, but then my NAS is sat idle 99% of the time, so maybe I’m not.